(12) 
(19) 

PATENT APPLICATION 
AUSTRALIAN PATENT OFFICE 

(A 1) ADDlication No AU 200039412 A1 

(54) 

Title 

Electronic data management system 


(51) 7 

International Patent Classification(s) 
G06F 017/40 G06F 012/14 


(21) 

Application No: 200039412 

(22) Application Date: 2000.06.09 

(30) 

Priority Data 



rMumDer ww uaie 
11-164179 1999.06.10 

(oJ; country 
JP 

(43) 
(43) 

Publication Data • 2000 12 14 
Publication Journal Date : 2000.12.14 


(71) 

Applicant(s) 
NEC Corporation 


(72) 

Inventor(s) 
Satoshl Hoshlno 


(74) 

Agent/Attorney 

SPRUSON and FERGUSON.GPO Box 3898.SYDNEY NSW 2001 


BEST AVAILABLE COPV 


ELECTRONIC DATA MANAGEMENT SYSTEM 


ABSTRACT OF THE DISCLOSURE 


A user inserts a magnetic card (2) to a magnetic card reader (11), and inputs 
his/her electronic signature and dealing data through an input device (18). The input 
dealing data are recorded on an electronic account data file (16) together with the 
electronic signature. The input data are also recorded on a log file (17) after encryption. 
An administrator inserts his/her IC card (4) to an IC card reader/writer (14) for updating 
the dealing data. The IC card reader/writer (14) collaborates with a SAM (15) to certify 
the inserted IC card (4) (medium verification). A finger print recognizer (12) obtains the 
administrator's finger print (3) to compare it with finger print data stored in a finger print 
file (13) (user verification). If both medium verification and user verification are passed, 
a controller (10) decodes log data in the log file (17). After the log data are decoded, the 
administrator is allowed to access the electronic account data file (16) to update data. 
Data regarding the update done by the administrator are also recorded on the log file (17) 
after encryption. 
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The claims defining the invention are ae follows: 

1. An electronic data management system which comprises a controller (10) for 
executing a program stored in a memory (10b) while being connected to an input device 
(18) for data input, storage units (20, 21), and a data reader (14) for reading data stored in 
a first recording medium (4), wherein 
5 said storage units comprise a first storage unit (21) which stores an electronic data 

record file (16) including electronic data, and a second storage unit (20) which stores a 
log file (17) including log data representing input or update log of the electronic data 
recorded on said electronic data record file (16), 

said input device (18) inputs electronic data to be recorded on said electronic data 
10 record file (16), and update data to update the recorded electronic data, 

said controller executes the program stored in said memory (10b) to: 

store log of the electronic data input from said input device (18) in the log file (17) 
(stepS 12); 

store the electronic data input from said input device (18) in the electronic data 
15 record file (16) (steps S13, S35); 

control said data reader (4) to determine whether said first recording medium (4) 
being accessed by said data reader (4) is certified medium or not (step S21); 

determine whether said system is operated by a certified operator based on 
externally given information (step S23); 
20 allow the operator to input the update data through said input device (18) to update 

the electronic data in the electronic data record file (16) when said first recording medium 
(4) and the operator are certified (steps S25, S26); 

update the electronic data in the electronic data record file (16) in accordance with 
the update data input by said input device (18) (step S28); and 
25 store log of the update data input by the input device (18) in the log file (17) (step 

S27). 



S&FRef: 511366 

AUSTRALIA 
PATENTS ACT 1990 
COMPLETE SPECIFICATION 

FOR A STANDARD PATENT 

ORIGINAL 


Name and 

Address 

of Applicant : 


Actual 
Inventor(s): 

Address for 
Service: 


NEC Corporation 

7-1, Shiba 5-chome 

Minato-ku 

Tokyo 

Japan 

Satoshi Hoshino 


Spruson & Ferguson 
St Martins Tower 
31 Market Street 
Sydney NSW 2000 


Invention Title: 


Electronic Data Management System 


The following statement is a full description of this invention, including the best method of 
performing it known to me/us> 


5845c 


V • 


• • • 


• ••• 

t • ♦ 

• • • 


ELECTRONIC DATA MANAGEMENT SYSTEM 
BACKGROUND OF THE INVENTION 
Field of the Invention 
The present invention relates to an electronic data management system and the like, 
5 suitable for managing electronic data such as electronic account data which require secure 
management. 

Description of the Related Art 
Any country has a law which decrees that business account documents regarding to 
dealings should be kept for a predetermined period. In Japan, a law which accepts 
1 0 electronic data files representing business accounts, have been effective since January 
1999. Such the business account data require more secure management as compared to 
other ordinary electronic data files, because they must be protected from serious crimes 
such as tax evasion and misappropriation of public fund. 

Verification by password has been a major way to certify a data administrator, 
1 5 however, it is not perfect protection because one who steals password can access the data 
easily. The business account data have required another new protection technique 
having improved security. 

SUMMARY OF THE INVENTION 
It is an object of the present invention to provide secure data management OF 
20 electronic data such as an electronic account file. 

To accomplish the above object, an electronic data management system according to 
a first aspect of the present invention is an electronic data management system which 
comprises a controller (10) for executing a program stored in a memory (10b) while being 
connected to an input device (18) for data input, storage units (20, 21), and a data reader 
25 (14) for reading data stored in a first recording medium (4), wherein 

the storage units comprise a first storage unit (21) which stores an electronic data 
record file (16) including electronic data, and a second storage unit (20) which stores a 
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log file (17) including log data representing input or update log of the electronic data 
recorded on the electronic data record file (16), 

the input device (18) inputs electronic data to be recorded on the electronic data 
record file (16), and update data to update the recorded electronic data, 
5 the controller executes the program stored in the memory (10b) to: 

store log of the electronic data input from the input device (18) in the log file (17) 
(stepS 12); 

store the electronic data input from the input device (18) in the electronic data 
record file (16) (steps S13, S35); 
1 0 control the data reader (4) to determine whether the first recording medium (4) 

being accessed by the data reader (4) is certified medium or not (step S21); 

determine whether the system is operated by a certified operator based on externally 
given information (step S23); 

allow the operator to input the update data through the input device (18) to update 
15 the electronic data in the electronic data record file (16) when the first recording medium 
(4) and the operator are certified (steps S25, S26); 

update the electronic data in the electronic data record file (16) in accordance with 
the update data input by the input device (18) (step S28); and 

store log of the update data input by the input device (18) in the log file (17) (step 

20 S27). 

In the above system, the second storage unit (21) may be detachably connected to 
the system. 

In the above system, the first recording medium (4) may be detachably connected to 
the data reader (14). 

25 In the system, the first recording medium (4) may store predetermined encryption 

keys. In this case, the system further comprises a medium verification unit (15) which 
stores predetermined encryption keys, collaborates with the data reader (14) to perform 
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medium verification by the challenge-response with using the own encryption key and the 
encryption key read from the first recording medium (4), and informs the controller (10) 
of the verification results. 

In the above system, the controller (10) may encrypt the log of the electronic data 
5 input by the input device (18) with the predetermined encryption key, and store the 
encrypted data in the log file (17). 

In this case, the controller decodes the encrypted log of the input electronic data 
stored in the log file (17) with using a predetermined decode key when the controller (10) 
certifies the first recording medium (4) and the operator, and 
10 the system further comprises an output device (19) which outputs the log of the 

input electronic data decoded by the controller (10). 

The input device (18) may input the update data in accordance with the log of the 
input electronic data output by the output device (19). 

In the above system, the input device (18) may also input verification information 
15 representing an operator who inputs the electronic data or the update data. In this case, 
the controller (10) associates the verification information input by the input device (18) 
with the input or updated electronic data before storing the electronic data in the 
electronic data record file (16). 

In the above system, the storage units may further comprise a third storage unit (20) 
20 which stores a physical characteristic data file (13) including data representing physical 
characteristics of the certified operator. In this case, the system further comprises a data 
input device (12a) which inputs data representing the operator's physical characteristics, 
and a user verification unit (12, 10) which compares the physical characteristic data input 
by the data input device (12a) with the physical characteristic data stored in the physical 
25 characteristic data file (13), and determines whether the operator is the certified operator 
or not based on the comparison results. 

In this case, the first recording medium (4) may further store data relating to the 


physical characteristics of the certified operator, and 

the user verification unit (12, 10) compares the physical characteristic data input by 
the data input device (12a) with the physical characteristic data stored in the first 
recording medium (4), and determines whether the operator is the certified operator or not 
based on the comparison results. 

The controller (10) may act as the user verification unit by executing a program 
stored in the memory (10b). 

In the above system, the controller (10) may store the electronic data stored by the 
input device (18) in the electronic data record file (16) immediately after the data input. 

In the above system, the controller (10) may store the electronic data in the 
electronic data record file (16) based on the log of the electronic data stored in the log file 
(17) when the controller (10) certifies the first recording medium (4) and the operator. 

The above system according to the first aspect may further comprise a second data 
reader (11) which reads data stored in a detachable second recording medium (2). In 
this case, the controller (10) allows the input device (18) to input the electronic data when 
the controller (10) certifies the second recording medium (2) based on the data read by the 
second data reader (1 1). 

In the above system, the electronic data record file (16) stores, for example, 
electronic account data. In this case, the electronic data and the update data may include 
information regarding to dealings and information for updating the dealing information to 
be recorded on the electronic account. 

To accomplish the above object, an electronic data management system according to 
a second aspect comprises: 

data input means (18) for inputting electronic data; 

electronic data recording means (16) for recording information input by the data 
input means (18); 

medium verification means (14, 15) for verifying a detachable recording medium (4) 


when the recording medium (4) is applied to the medium verification means (14, 15); 

user verification means (1 1, 12) for determining whether an operator is a certified 
one or not; 

access authorization means (10) for authorizing input of update data for updating the 
electronic data recorded on the electronic data recording means (16), when the medium 
verification means (14, 15) verifies the recording medium and the user verification means 
(1 1, 12) verifies the operator; 

update data input means (18) for inputting the update data when the access 
authorization means (10) authorizes input of the update data; 

data update means (10) for updating the electronic data stored in the electronic data 
recording means (16) in accordance with the update data input by the update data input 
means (18); and 

log management means (17) for recording log of the electronic data input by the 
data input means (18) and log of the update data input by the update data input means 
(18). 

The above system may further comprise electronic data output means (19) for 
outputting the log of the electronic data recorded on the log management means (17) 
when the access authorization means (10) authorizes the update data input. 

In this case, the update data input means (18) may input the update data in 
accordance with the electronic data output by the electronic data output means. 

In the above system, the data input means (18) may also input verification 
information representing who inputs the electronic data, and 

the update data input means (18) may also input verification information 
representing who inputs the update data. In this case, the electronic data recording 
means (16) associates the verification information representing who inputs the electronic 
data or the update data with the input electronic data or updated electronic data before 
recording the electronic data. 
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To accomplish the above object, a method according to a third aspect of the present 
invention is a method of managing electronic data which is applicable to a system 
comprising an electronic data record file (16) for recording electronic data, and a log file 
(17) for recording log of input or update of the electronic data to be recorded on the 
5 electronic data record file (16), the method comprises: 

inputting the electronic data to be recorded on the electronic data record file (16) 
(stepS 11); 

storing log of the input electronic data in the log file (17) (step S12); 

recording the input electronic data on the electronic data record file (16) (step SI 3, 

10 S35); 

discriminating whether a detachable recording medium (4) is certified one or not 
when the recording medium is applied to the system (step S21); 

discriminating whether a certified operator operates the system or not (step S23); 

permitting input of update data for updating the electronic data recorded on the 
1 5 electronic data record file (16) when the recording medium (4) and the operator are 
certified (step S25); 

inputting the update data after the permission (step S26); 

updating the electronic data in the electronic data record file (16) in accordance with 
the input update data (step S28); and 
20 storing log of the input update data in the log file (17) (step S27). 

In the above method, the permitting the update data input (step S25) may output the 
log of the input electronic data stored in the log file (17) In this case, the update data are 
input in accordance with the output electronic data (step S26). 

In the above method, log of the input electronic data and the update data may be 
25 encrypted when storing the log of the input electronic data or the log of the input update 
data (step SI 2) in the log file (17). 

In this case, the log of the input electronic stored in the log file (17) may be decoded 
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when the recording medium (4) and the operator are certified, to output the log data (step 
S25). 

In the above method, the inputting the electronic data (SI 1) may also inputs 
verification information representing who input the electronic data, and 
5 the inputting the update data (step S26) may also inputs verification information 

representing who inputs the update data. 

In this case, the recording the electronic data on the electronic data record file (16) 
(step SI 2) associates the verification information representing who inputs the electronic 
data with the electronic data before recording the electronic data on the electronic data 
1 0 record file (16), and 

the recording the update data on the electronic data file (16) (step S28) associates 
the verification information representing who inputs the update data before recording the 
update data on the electronic data record file (16). 

In the above method, the discriminating the certified operator (step S23) may 
1 5 compare data representing physical characteristics of an operator with previously stored 
data representing physical characteristics of the certified operator. 

In the above method, the recording the electronic data on the electronic data record 
file (16) (step SI 3) may record the electronic data immediately after the inputting the 
electronic data (step SI 1) inputs the electronic data. 
20 The recording the electronic data (step S35) may record the electronic data on the 

electronic data record file (16) when the discriminations certify the recording medium (4) 
and the operator. 

To accomplish the above object, a computer readable recording medium according 
to a third aspect of the present invention is a computer readable recording medium (51) 
25 storing a program which causes a computer system comprising an electronic data record 
file (16) for recording electronic data and a log file (17) for storing log of input or updated 
electronic data to be recorded on the electronic data record file (16), the program 
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comprises the steps of: 

inputting the electronic data to be recorded on the electronic data record file (16) 
(stepS 11); 

storing log of the input electronic data in the log file (17) (step S12); 
5 recording the input electronic data on the electronic data record file (16) (step S13, 

S35); 

discriminating whether a detachable recording medium (4) is certified one or not 
when the recording medium is applied to the system (step S21); 

discriminating whether a certified operator operates the system or not (step S23); 
1 0 permitting input of update data for updating the electronic data recorded on the 

electronic data record file (16) when the recording medium (4) and the operator are 
certified (step S25); 

inputting the update data after the permission (step S26); 

updating the electronic data in the electronic data record file (16) in accordance with 
15 the input update data (step S28); and 

storing log of the input update data in the log file (17) (step S27). 

By the program stored in the above recording medium, the electronic data input step 
(step SI 1) may also input verification information representing who inputs the electronic 
data; 

20 the update data input step (step S26) may also input verification information 

representing who inputs the update data; 

the electronic data recording step (step SI 2) may associate the electronic data with 

the verification information representing who inputs the electronic data before recording 

the electronic data on the electronic data record file (16); and 
25 the update data recording step (step S28) may associate the update data with the 

verification information representing who inputs the update data before recording the 

update data on the electronic data record file (16). 
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To accomplish the above object, a program data signal according to a fourth aspect 
of the present invention is a program data signal being embeded in a carrier wave, which 
represents a program for causing a computer system comprising an electronic data record 
file (16) for recording electronic data and a log file (17) for recording input or update log 
5 of the electronic data to be recorded on the electronic data record file, the program data 
signal comprises: 

a segment for inputting the electronic data to be recorded on the electronic data 
record file (16) (step SI 1); 

a segment for recording log of the input electronic data on the log file (17) (step 

10 S12); 

a segment for recording the input electronic data on the electronic data record file 
(16) (steps S13,S15); 

a segment for discriminating whether a detachable recording medium (4) is certified 
one or not when the recording medium is applied to the computer system (step S21); 
15 a segment for discriminating whether an operator is a certified operator or not (step 

S23); 

a segment for permitting input of update data for updating the electronic data 
recorded on the electronic data record file (16) when the recording medium (4) and the 
operator are certified (step S25); 
20 a segment for inputting the update data when the update data input is permitted (step 

S26); 

a segment for updating the electronic data recorded on the electronic data record file 
(16) in accordance with the input update data; and 

a segment for storing log of the input update data in the log file (17) (step S27). 
25 In the program data signal, the electronic data input segment (step S 1 1) may also 

input verification information representing who inputs the electronic data, 

the update data input segment (step S26) may also input verification information 


10 

representing who inputs the update data, 

the electronic data recording segment (step S12) may associate the verification 
information representing who inputs the electronic data with the electronic data before 
recording the electronic data on the electronic data record file (16), and 

the update data recording segment (step S28) may associate the verification 
information representing who inputs the update data before recording the update data on 
the electronic data record file (16). 

BRIEF DESCRIPTION OF THE DRAWINGS 

These objects and other objects and advantages of the present invention will become 
more apparent upon reading of the following detailed description and the accompanying 
drawings in which: 

FIG. 1 is a block diagram showing the structure of an electronic account 
management system according to an embodiment of the present invention; 

FIG. 2 is a diagram showing data recorded on an electronic account file shown in 
FIG. 1; 

FIG. 3 is a diagram showing data recorded on a log file shown in FIG. 1 ; 
FIG. 4 is a flowchart showing a process flow when a user inputs dealing data; 
FIG. 5 is a flowchart showing a process flow when an administrator updates the 
dealing data; 

FIG. 6 is a flowchart showing a process flow when data recording on the electronic 
account file is done by the administrator solely; and 

FIGS. 7 A and 7B are block diagrams schematically showing updated electronic 
account management systems according to modified embodiments of the present 
invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
A preferred embodiment of the present invention will now be described with 
reference to accompanying drawings. 
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FIG. 1 is a block diagram showing the structure of an electronic account file 
management system according to the embodiment. As shown in FIG. 1, the system 
comprises an electronic account file manager 1 to which an input device 18 and an output 
device 19 are connected, and a magnetic card 2 and an IC (Integrated Circuit) card 4 
which are detachable to the electronic account file manager 1. The system obtains data 
representing finger print 3 as the administrator's physical characteristics (described later 
in detail). 

The magnetic card 2 is owned by a user who utilizes the system, that is, who 
operates the system to record his/her dealing data. More precisely, the user inserts the 
magnetic card 2 into a card reader 1 1 and inputs his/her dealing data through the input 
device 18. The IC card 4 is owned by the system administrator. The administrator 
inserts the IC card 4 into a reader/writer 14 and inputs command through the input device 
18 to update and/or delete the dealing data. The IC card 4 previously stores data 
representing the administrator's finger print and predetermined cryptograph keys. 

The electronic account file manager 1 is a special purpose computer or a customized 
general purpose computer. The electronic account file manager 1 comprises a controller 
10 including a CPU (Central Processing Unit) 10a, an internal memory 10b and a timer 
10c, a magnetic card reader 1 1, a finger print recognizer 12, an IC card reader/writer 14, a 
SAM (Secure Application Module) 15, fixed disks 20 storing a finger print file 13 and a 
log file 17, and a detachable recording medium 21 storing an electronic account file 16. 

In the controller 10, the CPU 10a executes a program (described later) stored in the 
internal memory 10b to control the magnetic card reader 11, the finger print recognizer 12, 
the IC card reader/writer 14 and the SAM 15, and/or updates the contents of the electronic 
account file 16 and the log file 17. The controller 10 outputs to the output device 19 any 
result at any appropriate timing. The controller 10 records log on the log file 17 in 
accordance with time information counted by the timer 10c. 

The magnetic card reader 1 1 reads data recorded on the magnetic card 2 inserted. 
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When the reader 1 1 certifies the owner of the inserted card 2, the reader 1 1 informs the 
controller 10 of it 

The finger print recognizer 12 comprises a scanner 12a which scans the finger print 
3, and performs pattern matching among the data representing the scanned finger print 3, 
finger print data stored in the finger print file 13, and finger print data read from the IC 
card 4. In a case where the data representing the scanned finger print 3 coincide with the 
finger print data in the finger print file 13 and the IC card 4, the finger print recognizer 12 
verifies that the scanned finger print 3 is the administrator's finger print, and informs the 
controller 10 of it. 

The finger print file 13 is prepared in the fixed disk 20 in the electronic account file 
manager 1. The finger print file 13 previously stores finger print(s) 3 of the 
administrators) of the electronic account file manager 1 . In this case, the finger print(s) 
are scanned by the scanner 12a of the finger print recognizer 12. In order to prevent the 
data in the finger print file 13 from being falsified, the electronic account file manager 1 
may employ a protection system which allows the administrator to access the finger print 
file 13 only when the IC card 4 inserted in the IC card reader/writer 14 is certified. 

The IC card reader/writer 14 reads data on the IC card 4 inserted. The IC card 
reader/writer 14 collaborate with the SAM 15 to perform verification procedure 
(described later). When the verification is successful, the IC card reader/writer 14 
informs the controller 10 of it. The IC card reader/writer 14 is also applicable to writing 
finger print data and cryptograph keys on the IC card 4. 

The SAM 15 is, for example, a single chip semiconductor device. The SAM 15 
stores cryptograph keys (private key and public key). The SAM 15 collaborates with the 
IC card reader/writer 14 to perform verification by challenge-response technique utilizing 
the cryptograph keys in the SAM 15 and the IC card 4 when the IC card 4 is inserted in 
the IC card reader/writer 14. 

The electronic account file 16 is prepared on a detachable rewritable storage 
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medium 2 1 such as MO, CD-R, and DVD. As shown in FIG. 2, the electronic account 
file 16 stores data sets regarding to dealings and associated user's name who input the 
data set. In the electronic account file 16, electronic signature (ESIG) represents the 
user's names. Data recording on the electronic account file 16 may be done at every 
5 dealings, or may be batched in accordance with the log data in the log file 17. 

The log file 17 is prepared in the fixed disk 20 in the electronic account file manager 
1. The log file 17 stores log data relating to dealings and data update (hereinafter data 
update includes data deleting). FIG. 3 shows records in the log file 17, that is, "date", 
"time", "user's name", "dealings", "amount", "termination" flag, "update" flag, and 

10 "updated items". 

The log file 17 stores the log data record by record each time the user inputs dealing 
data and the administrator updates the data. The log data are encrypted by the public 
key in the SAM 15. Only the administrator is allowed to decode the log data by using 
the private key in the SAM 15. 

1 5 The input device 18 may be a keyboard or the like operated by the user and the 

administrator to input dealing data and any commands. The output device 19 may be a 
display or the like which displays requested results output by the controller 10, for 
example, it displays decoded log data in the log file 17 when the administrator updates the 
electronic account file 16. 

20 How the electronic account managing system manages the electronic account file 16 

will now be described. As conditions for the following explanation, dealing data will be 
recorded on the electronic account file 16 each time the dealing is done, and data 
representing the administrator's finger print 3 has been previously stored in the finger 
print file 13 and the IC card 4 owned by the administrator before using the system. 

25 FIG. 4 is a flowchart showing steps for inputting dealing data by the user. The 

process flow starts after the magnetic card reader 1 1 informs the controller 10 that the 
magnetic card 2 inserted to the reader 1 1 and its user are verified. 
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The user operates the input device to input dealing data and his/her electronic 
signature (ESIG) (step S 1 1). The controller 10 affixes date and time obtained by the 
timer 10c and user's name to the input dealing data, thus, 1 record of log data is prepared. 
Then the controller 10 fetches the public key from the SAM 15 to encrypt the prepared 1 
5 record data, and stores it on the log file (17) (step SI 2). 

The controller 10 associates the input dealing data with the user's electronic 
signature and stores them on the electronic account file 16 (step SI 3). Then, the process 
flow is terminated. 

FIG. 5 is a flowchart showing steps for updating the dealing data by the 
1 0 administrator. This process flow starts after the administrator inserts his/her IC card 4 to 
the IC card reader/writer 14. 

The IC card reader/writer 14 collaborates with the SAM 15 to perform certification 
by challenge-response technique with using the cryptograph keys in the inserted IC card 4 
and the SAM 15 to certify the IC card 4 (step S21). The controller 10 determines 
1 5 whether the certification is successful or not based on information from the IC card 
reader/writer 14 representing the certification results (step S22). 

If the certification successful, the controller 10 controls the finger print recognizer 
12 to perform finger print comparison. That is, the finger print recognizer 12 drives the 
scanner 12a to scan the finger print 3. The finger print recognizer 12 compares finger 
20 print data representing scanned finger print 3, finger print data in the IC card 4 read by the 
IC card reader/writer 14, and finger print data stored in the finger print file 13 by pattern 
matching technique. The finger print recognizer 12 compares pattern data of the three 
finger print data sets (step S23). Then, the controller 10 discriminates whether the 
compared three finger print data sets coincide with each other or not based on information 
25 from the finger print recognizer 12 representing the comparison results (step S24). 

If the three finger print data sets coincide with each other, the controller 10 fetches 
the private key from the SAM 15 to decode the log data in the log file 17. Hie controller 
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10 controls the output device 19 to display the decoded log data (step S25). Once the 
log data are displayed on the output device 19, the administrator is allowed to update the 
log data. Then, the administrator operates the input device 18 to update the log data and 
input the administrator's electronic signature (step S26). 
5 The controller 10 affixes date and time obtained by the timer 10c and user's name to 

the updated data, thus, 1 record of log data is prepared. Then, the controller 10 fetches 
the public key from the SAM 15 to encrypt the updated 1 record of data, and stores it in 
the log file (17) (step S27). 

The controller 10 updates the data in the electronic account file 16 in accordance 
10 with the data updated at step S26, and associates the electronic signature input at step S26 
with the updated account data (step S28). And, the process flow is terminated. 

• • • 

If the certification was unsuccessful at step S22, or if the finger print data sets did 

•• ::## not coincide with each other at step S24, the controller 10 terminates the process flow 

• • • 

• 

immediately. 

15 The system according to the embodiment features the following four ways to realize 

•••• ^ 

t • • • I the secure data management. 

• • 

(1) Unless the administrator passes both medium verification and user verification, 

• • • 

• • • 

llll the administrator can not update the data in the electronic account file 16. That is, the 

system requires verification with the IC card 4 and verification with finger print 3. Such 

•••• 

• • • 

20 the dual verification realizes more effective data protection as compared to the 

conventional verification by password, because it is very difficult for persons other than 
the administrator to alter the data in the electronic account file 16. 

(2) The administrator verification with the scanned finger print 3 further requires 
dual verification, that is, pattern matching with the finger print data in the finger print file 

25 13 and with the finger print data in IC card 4. This structure prevents the electronic 
account file 16 from being illegally altered in a case where the finger print file in the 
finger print file 13 are falsified, or where the IC card 4 is illegally copied. 
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(3) Electronic signatures are affixed to the records in the electronic account file 16 
for clarifying who inputs and updates the record. This structure reveals illegal data 
alteration by uncertified person. 

(4) The log data in the log file 17 are encrypted by the public key in SAM 15. Hie 
5 administrator is allowed to decode the log data only when the administrator passes both 

medium verification and administrator verification. Therefore, only the administrator is 
allowed to read and update the log data in the log file 17. 

Accordingly, the system according to this embodiment realizes secure data 
management because unregistered person hardly access the electronic account file 16 to 
10 alter the data. Moreover, it is very difficult for unregistered persons to read the log file 
17. This feature also improves secure data management for the electronic account file 
16. 

In the above embodiment, the finger print 3 has been employed as physical 
characteristic for certifying the administrator. The present invention may employ 

1 5 various other physical characteristics for the administrator verification such as the iris, 
hand shape, facial characteristics, vocal characteristics, and the retina. The password 
verification may be employed in addition to or instead of the verification with the 
physical characteristics. 

The controller 10 may perform the finger print pattern matching by executing a 

20 program prepared in the internal memory 10b. In this case, the scanner 12a and the 
finger print file 13 may be external (peripheral) devices detachably connected to the 
controller 10. 

The IC card 4 may store the keys for encrypting and decoding the log data in the log 
file 17, instead of the SAM 15. 
25 In the above embodiment, the input data are recorded on the electronic account file 

16 immediately. Instead of this structure, only the administrator may be allowed to 
record the input data on the electronic account file 16. In this case, the process flow 
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• • • 

• • • 


shown in FIG. 4 is terminated at step S12 (step S13 is unnecessary). 

FIG. 6 is an additional flowchart shoring a process flow in a case where the system 
employs the above described structure. In this case, the process flow starts after the 
administrator inters the IC card 4 to the IC card reader/writer 14. 
5 After execution of steps S21 to S24 shown in FIG. 5 (step S31), the administrator 

operates the input device 18 to select options, dealing data update or data recording (step 
S32). The controller 10 determines which option was selected (step S33). 

If the data update was selected, steps S25 to S28 shown in FIG. 5 are executed (step 
S34). And, the process flow is terminated. On the contrary, if the data recording was 
1 0 selected, the controller 10 fetches the private key from the SAM 15 to decode the log data 
in the log file 17. Of the decoded records, the controller select records representing 
dealing data (or updated data) which have not been recorded on the electronic account file 
16, and records them with associating the administrators electronic signature therewith on 
the electronic account file 16 (step S35). And, the process flow is terminated. 
15 According to this structure in accordance with the process flow shown in FIG. 6, the 

data recording on the electronic account file 16 is done by the administrator. Therefore, 
this updated embodiment realizes more secure data management as compared to the 
above described original embodiment. 

The present invention may be applicable not only to managing the electronic 
20 account file 16 and the log file 17 featured in the above embodiments, but also to various 
electronic data managements. The present invention is effective in managing data which 
should be strongly protected from data stealing or falsification as well as the electronic 
account data. 

In the above embodiments, the CPU 10a executes the program stored in the internal 
25 memory 10b to execute the process flow shown in FIGS. 4, 5, and 6. The program may 
be stored in a computer readable recording medium. 

FIGS. 7A and 7B exemplifies cases of the separate program structure. FIG. 7A 
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exemplifies a case where the program is stored in MO (Magneto-optical disk) 51. In this 
case, an MO drive 50 reads the program from the MO 51 and transfers it to the internal 
memory 10b in the controller 10. FIG. 7B exemplifies another case where the program 
is stored in a remote server 62. In this case, the system comprises a communication unit 
60 which is connected to a network 61 to communicate with the server 62. The 
communication unit 60 request the server 62 via the network 61 to send a program data 
signal in which the program is embeded in a carrier wave signal. The communication 
unit 61 receives the program signal and transfers it to the internal memory 10b in the 
controller 10. FIGS. 7A and 7B do not show detailed illustration of the electronic 
account file manager 1, but it has the same structure as described in the above 
embodiments. 

Various embodiments and changes may be made thereunto without departing from 
the broad spirit and scope of the invention. The above-described embodiments are 
intended to illustrate the present invention, not to limit the scope of the present invention. 
The scope of the present invention is shown by the attached claims rather than the 
embodiments. Various modifications made within the meaning of an equivalent of the 
claims of the invention and within the claims are to be regarded to be in the scope of the 
present invention. 

This application is based on Japanese Patent Application No. HI 1-164179 filed on 
June 10, 1999 and including specification, claims, drawings and summary. The 
disclosure of the above Japanese Patent Application is incorporated herein by reference in 
its entirety. 
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The claims defining the invention are as follows: 

1. An electronic data management system which comprises a controller (10) for 
executing a program stored in a memory (10b) while being connected to an input device 
(18) for data input, storage units (20, 21), and a data reader (14) for reading data stored in 
a first recording medium (4), wherein 

said storage units comprise a first storage unit (21) which stores an electronic data 
record file (16) including electronic data, and a second storage unit (20) which stores a 
log file (17) including log data representing input or update log of the electronic data 
recorded on said electronic data record file (16), 

said input device (18) inputs electronic data to be recorded on said electronic data 
record file (16), and update data to update the recorded electronic data, 

said controller executes the program stored in said memory (10b) to: 

store log of the electronic data input from said input device (18) in the log file (17) 
(stepS 12); 

store the electronic data input from said input device (18) in the electronic data 
record file (16) (steps S 13, S35); 

control said data reader (4) to determine whether said first recording medium (4) 
being accessed by said data reader (4) is certified medium or not (step S21); 

determine whether said system is operated by a certified operator based on 
externally given information (step S23); 

allow the operator to input the update data through said input device (18) to update 
the electronic data in the electronic data record file (16) when said first recording medium 
(4) and the operator are certified (steps S25, S26); 

update the electronic data in the electronic data record file (16) in accordance with 
the update data input by said input device (18) (step S28); and 

store log of the update data input by the input device (18) in the log file (17) (step 

S27). 
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2. The system according to claim 1, wherein said second storage unit (21) is 
detachably connected to said system. 

3. The system according to claim 1, wherein said first recording medium (4) is 
detachably connected to said data reader (14). 

4. The system according to claim 1, wherein, 

said first recording medium (4) stores predetermined encryption keys, and 
said system further comprises a medium verification unit (15) which stores 
predetermined encryption keys, collaborates with said data reader (14) to perform 
medium verification by the challenge-response with using the own encryption key and the 
encryption key read from said first recording medium (4), and informs said controller (10) 
of the verification results. 

5. The system according to claim 1, wherein said controller (10) encrypts the log 
of the electronic data input by said input device (18) with the predetermined encryption 
key, and stores the encrypted data in the log file (17). 

6. The system according to claim 5, wherein said controller decodes the 
encrypted log of the input electronic data stored in the log file (17) with using a 
predetermined decode key when said controller (10) certifies said first recording medium 
(4) and the operator, and 

said system further comprises an output device (19) which outputs the log of the 
input electronic data decoded by said controller (10). 

7. The system according to claim 6, wherein said input device (18) inputs the 
update data in accordance with the log of the input electronic data output by said output 
device (19). 

8. The system according to claim 1, wherein said input device (18) also inputs 
verification information representing an operator who inputs the electronic data or the 
update data, and 

said controller (10) associates the verification information input by said input device 
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(18) with the input or updated electronic data before storing the electronic data in the 
electronic data record file (16). 

9. The system according to claim 1, wherein said storage units further comprise 
a third storage unit (20) which stores a physical characteristic data file (13) including data 
representing physical characteristics of the certified operator, and 

said system further comprises a data input device (12a) which inputs data 
representing the operator's physical characteristics, and a user verification unit (12, 10) 
which compares the physical characteristic data input by said data input device (12a) with 
the physical characteristic data stored in the physical characteristic data file (13), and 
determines whether the operator is the certified operator or not based on the comparison 
results. 

10. The system according to claim 9, wherein said first recording medium (4) 
further stores data relating to the physical characteristics of the certified operator, and 

said user verification unit (12, 10) compares the physical characteristic data input by 
the data input device (12a) with the physical characteristic data stored in said first 
recording medium (4), and determines whether the operator is the certified operator or not 
based on the comparison results. 

11. The system according to claim 9, wherein said controller (10) acts as said user 
verification unit by executing a program stored in said memory (10b). 

12. The system according to claim 1, wherein said controller (10) stores the 
electronic data stored by said input device (18) in the electronic data record file (16) 
immediately after the data input. 

13. The system according to claim 1, wherein said controller (10) stores the 
electronic data in the electronic data record file (16) based on the log of the electronic 
data stored in the log file (17) when said controller (10) certifies said first recording 
medium (4) and the operator. 

14. The system according to claim 1 further comprising a second data reader (1 1) 
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which reads data stored in a detachable second recording medium (2), wherein 

said controller (10) allows said input device (18) to input the electronic data when 
said controller (10) certifies said second recording medium (2) based on the data read by 
said second data reader (1 1). 

15. The system according to claim 1, wherein the electronic data record file (16) 
stores electronic account data, and 

the electronic data and the update data include information regarding to dealings and 
information for updating the dealing information to be recorded on the electronic account. 

16. An electronic data management system comprising: 
data input means (18) for inputting electronic data; 

electronic data recording means (16) for recording information input by said data 
input means (18); 

medium verification means (14, 15) for verifying a detachable recording medium (4) 
when said recording medium (4) is applied to said medium verification means (14, 15); 

user verification means (11,12) for determining whether an operator is a certified 
one or not; 

access authorization means (10) for authorizing input of update data for updating the 
electronic data recorded on said electronic data recording means (16), when said medium 
verification means (14, 15) verifies said recording medium and said user verification 
means (11, 12) verifies the operator; 

update data input means (18) for inputting the update data when said access 
authorization means (10) authorizes input of the update data; 

data update means (10) for updating the electronic data stored in said electronic data 
recording means (16) in accordance with the update data input by said update data input 
means (18); and 

log management means (17) for recording log of the electronic data input by said 
data input means (18) and log of the update data input by said update data input means 
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08). 

17. The system according to claim 16 further comprising electronic data output 
means (19) for outputting the log of the electronic data recorded on said log management 
means (17) when said access authorization means (10) authorizes the update data input, 

wherein said update data input means (18) inputs the update data in accordance with 
the electronic data output by said electronic data output means. 

18. The system according to claim 16, wherein said data input means (18) also 
inputs verification information representing who inputs the electronic data, 

said update data input means (18) also inputs verification information representing 
who inputs the update data, and 

said electronic data recording means (16) associates the verification information 
representing who inputs the electronic data or the update data with the input electronic 
data or updated electronic data before recording the electronic data. 

19. A method of managing electronic data which is applicable to a system 
comprising an electronic data record file (16) for recording electronic data, and a log file 
(17) for recording log of input or update of the electronic data to be recorded on the 
electronic data record file (16), said method comprising: 

inputting the electronic data to be recorded on the electronic data record file (16) 
(stepS 11); 

storing log of the input electronic data in the log file (17) (step S12); 

recording the input electronic data on the electronic data record file (16) (step SI 3, 

S35); 

discriminating whether a detachable recording medium (4) is certified one or not 
when said recording medium is applied to said system (step S21); 

discriminating whether a certified operator operates said system or not (step S23); 

permitting input of update data for updating the electronic data recorded on the 
electronic data record file (16) when the recording medium (4) and the operator are 
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certified (step S25); 

inputting the update data after the permission (step S26); 

updating the electronic data in the electronic data record file (16) in accordance with 
the input update data (step S28); and 

storing log of the input update data in the log file (17) (step S27). 

20. The method according to claim 19, wherein said permitting the update data 
input (step S25) outputs the log of the input electronic data stored in the log file (17), and 

the update data are input in accordance with the output electronic data (step S26). 

21. Hie method according to claim 19 comprising encrypting log of the input 
electronic data and the update data when storing the log of the input electronic data or the 
log of the input update data (step S12) in the log file (17). 

22. The method according to claim 21 comprising decoding the log of the input 
electronic stored in the log file (17) when the recording medium (4) and the operator are 
certified, and outputting the decoded log data (step S25). 

23. The method according to claim 19, wherein said inputting the electronic data 
(SI 1) also inputs verification information representing who input the electronic data, 

said inputting the update data (step S26) also inputs verification information 
representing who inputs the update data, 

said recording the electronic data on the electronic data record file (16) (step S12) 
associates the verification information representing who inputs the electronic data with 
the electronic data before recording the electronic data on the electronic data record file 
(16), and 

said recording the update data on the electronic data file (16) (step S28) associates 
the verification information representing who inputs the update data before recording the 
update data on the electronic data record file (16). 

24. Hie method according to claim 19, wherein said discriminating the certified 
operator (step S23) compares data representing physical characteristics of an Qperator 
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with previously stored data representing physical characteristics of the certified operator. 

25. The method according to claim 19, wherein said recording the electronic data 
on the electronic data record file (16) (step SI 3) records the electronic data immediately 
after said inputting the electronic data (step SI 1) inputs the electronic data. 

26. The method according to claim 19, wherein said recording the electronic data 
(step S35) records the electronic data on the electronic data record file (16) when said 
discriminations certify said recording medium (4) and the operator. 

27. A computer readable recording medium (51) storing a program which causes 
a computer system comprising an electronic data record file (16) for recording electronic 
data and a log file (17) for storing log of input or updated electronic data to be recorded 
on the electronic data record file (16), said program comprising the steps of: 

inputting the electronic data to be recorded on the electronic data record file (16) 
(stepSll); 

storing log of the input electronic data in the log file (17) (step S12); 

recording the input electronic data on the electronic data record file (16) (step S 13, 

S35); 

discriminating whether a detachable recording medium (4) is certified one or not 
when said recording medium is applied to said system (step S21); 

discriminating whether a certified operator operates said system or not (step S23); 

permitting input of update data for updating the electronic data recorded on the 
electronic data record file (16) when the recording medium (4) and the operator are 
certified (step S25); 

inputting the update data after the permission (step S26); 

updating the electronic data in the electronic data record file (16) in accordance with 
the input update data (step S28); and 

storing log of the input update data in the log file (17) (step S27). 

28. The recording medium according to claim 27, wherein said electronic data 
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input step (step SI 1) also inputs verification information representing who inputs the 
electronic data; 

said update data input step (step S26) also inputs verification information 
representing who inputs the update data; 

said electronic data recording step (step S12) associates the electronic data with the 
verification information representing who inputs the electronic data before recording the 
electronic data on the electronic data record file (16); and 

said update data recording step (step S28) associates the update data with the 
verification information representing who inputs the update data before recording the 
update data on the electronic data record file (16). 

29. A program data signal being embeded in a carrier wave, which represents a 
program for causing a computer system comprising an electronic data record file (16) for 
recording electronic data and a log file (17) for recording input or update log of the 
electronic data to be recorded on the electronic data record file, said program data signal 
comprising: 

a segment for inputting the electronic data to be recorded on the electronic data 
record file (16) (step SI 1); 

a segment for recording log of the input electronic data on the log file (17) (step 

S12); 

a segment for recording the input electronic data on the electronic data record file 
(16) (steps S13.S15); 

a segment for discriminating whether a detachable recording medium (4) is certified 
one or not when said recording medium is applied to said computer system (step S21); 

a segment for discriminating whether an operator is a certified operator or not (step 

S23); 

a segment for permitting input of update data for updating the electronic data 
recorded on the electronic data record file (16) when said recording medium (4) and the 
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operator are certified (step S25); 

a segment for inputting the update data when the update data input is permitted (step 

20 S26); 

a segment for updating the electronic data recorded on the electronic data record file 
(16) in accordance with the input update data; and 

a segment for storing log of the input update data in the log file (17) (step S27). 

30. The program data signal according to claim 29, wherein said electronic data 
input segment (step Sll) also inputs verification information representing who inputs the 
electronic data, 

said update data input segment (step S26) also inputs verification information 
5 representing who inputs the update data, 

said electronic data recording segment (step S12) associates the verification 
information representing who inputs the electronic data with the electronic data before 
recording the electronic data on the electronic data record file (16), and 

said update data recording segment (step S28) associates the verification 
1 0 information representing who inputs the update data before recording the update data on 
the electronic data record file (16). 
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31. An electronic data management system substantially as herein described with reference 
to the accompanying drawings. 

32. A method of managing electronic data, said method substantially as herein described 
with reference to the accompanying drawings. 

33. A computer readable recording medium storing a program substantially as herein 
described with reference to the accompanying drawings. 

34. A program data signal substantially as herein described with reference to the 
accompanying drawings. 

DATED this Ninth Day of June, 2000 
NEC Corporation 
Patent Attorneys for the Applicant 
SPRUSON & FERGUSON 
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